CVE-2025-62762

Vulnerability

Overview

The SMTP Mail plugin for WordPress (versions through 1.3.51) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises because the plugin does not properly validate or enforce anti-CSRF tokens on sensitive actions, allowing attackers to trick authenticated administrators into unknowingly performing unintended requests [1].

Exploitation

Conditions

Exploitation requires a privileged user (e.g., administrator) to interact with a crafted link or form while logged into the WordPress admin area. The attacker does not need any direct access to the site; social engineering (e.g., via email or a malicious page) is sufficient to trigger the request. The CSRF can be carried out without any special permissions beyond the victim's existing session [1].

Impact

A successful CSRF attack could enable an attacker to modify plugin settings, change email configurations, or perform other administrative actions under the victim's privileges. This could lead to email service disruption, data leakage, or further compromise of the WordPress installation. The vulnerability has a CVSS score of 4.3 (Medium) [1].

Mitigation

The vendor has released an update; users are advised to upgrade to version 1.3.52 or later. As an interim measure, restricting admin account privileges and educating users about phishing risks can reduce the likelihood of exploitation [1].